Already I have read comments and opinions on the recently released proposed rules for Accounting of Disclosures (AoD) to include on how problematic, burdensome, etc. it will be for covered entities to generate and provide these AoDs to requestors. I haven’t come across too much from the covered entity community that has been very supportive of these rules.

When you combine these proposed rules with the general statement from the covered entity community that the number of requests for AoDs is a very small number, it seems that these proposed rules may need to be recalibrated to reflect the reality on the scale of AoD requests and therefore, the context in which these rules exist.

My word of advice….if you have feedback, concerns, support, or observations on these proposed rules (good or bad)…make use of the comment period. You just may make the difference in what ultimately appears in the final rule.

The rule will ultimately lay the foundation for what healthcare providers will be accountable for when patients request disclosures on their electronic medical records. HITECH expands an individual’s right to request accounts on disclosures of his/her health record.

It also includes a new right for patients to request an “access report,” which will tell patients who exactly accessed and viewed their PHI. This right was not included in HITECH.

“We believe that these changes to the accounting requirements will provide information of value to individuals while placing a reasonable burden on covered entities and business associates,” according to HHS in the proposed rule. “The process of creating a full accounting of disclosures is generally a manual, expensive, and time consuming process for covered entities and business associates.”

The Office for Civil Rights (OCR), the enforcer of the HIPAA privacy and security rules, in May 2010 published a notice in the Federal Register asking for help crafting this proposed rule on accounting of disclosures on EHRs.

OCR wrote that it wanted to “better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform [our] rulemaking in this area.”

Current law exempts disclosures to carry out treatment, payment and healthcare operations. But HITECH changed that, allowing patients to request these types of disclosures through an EHR.

The following is the second in a series of tips to follow if the OCR investigates your facility.

Ensure that you have a clear understanding of what has happened and convey that to government investigators, Andrew B. Serwin, Esq., a partner at Foley & Lardner, LLP's Washington, DC, office, said at the February HIPAA Summit. "It is usually to your benefit to have the agency understand the facts as you understand them."

"You can't underestimate the importance of getting your facts right," said Peter McLaughlin, Esq., senior counsel at Foley & Lardner, LLP's Boston office, who joined Serwin for the summit presentation. Don't create a credibility problem by changing your story down the line, he said.

Consider requesting confidentiality for documents you turn over to investigators, said Serwin. The federal Freedom of Information Act allows individuals to request to see documents that are part of an investigation. If you've requested confidentiality, the government may release redacted documents, with certain information, such as patient names, removed.

Q: I've been struggling with HIPAA authorization requirements regarding website postings of patients' healthcare stories. If patients voluntarily post their stories on our Facebook or other social media sites, can we use those stories in other media, such as fundraising brochures, without obtaining specific authorization?

A: No. Even though patients sometimes post their stories on an organization's social media website, you should not use these stories for other ¬purposes without the patient's written authorization. Patients may be willing to share their stories publicly, but they may not want them used for other purposes, such as fundraising.

Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question for the Briefings on HIPAAnewsletter. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.